What's inside this month

poll

M is for Malware Any piece of malicious software that infects a computer system, forcing it to do an attacker’s bidding. Viruses are one kind of malware, but there are others: Trojan horses trick users into installing them; spyware surveys computer activity; and keyloggers transmit a record of everything that’s typed—passwords and all.

There’s no magic bullet to protect yourself; as with real viruses, the best defence is good hygiene. That means up-to-date software, good passwords, and knowing to avoid infectious items: unsolicited attachments, dodgy websites and common scams.

N is for New targets In February, 2011, Google had a problem: Attackers had cooked up a nasty Trojan horse that fooled Android users into thinking they were installing a regular app—but they really installed malware that turned over personal information to a remote server and gave hackers substantial control over the phone.

Google quickly sent out a clean-up piece of software to clear up the infection. Attackers saw the hype around the fix, and did the only logical thing: They created a fake clean-up tool that, when installed, actually infected the phone with more malware.

This is the new battleground. Smartphone shipments finally surpassed those of PCs in 2012, to the tune of 488 million units. The paradigm shift has not gone unnoticed in the underworld. The chief target is Android, in part because it’s so popular, and in part because users can download apps from anywhere. “Just like in the PC world, where the Microsoft monoculture created a really big problem, you’re starting to see the same problem with Android monoculture,” says SecDev’s Rohozinski.

IPhones and iPads are less vulnerable, chiefly because Apple insists that all apps be installed through the App Store, where it screens every app by hand. “Jailbroken” iPhones, which have had their Apple-imposed restrictions removed by adventurous users, are wide open. According to Symantec, two worms have been spotted on jailbroken iPhones: One demanded an 5 euro PayPal ransom before unlocking the phone; the other just changed the wallpaper to Rick Astley.

O is for Outlay How much does peace of mind cost? In their survey of Canadian business, Telus and the Rotman School found that the sweet spot for security outlay was between 5% and 6% of IT expenditures.

P is for Password recycling Scenario: You roll into work one day, and discover that someone has weaselled their way into your e-mail account, changed the password to lock you out, and is now sending scam messages to your friends in your name, begging for money.

What happened? Maybe you picked a password that’s easy to guess. Even security professionals use terrible passwords like family members’ names—which can easily be found online—or words like, well, “password.”

But the odds are good that you’ve fallen into another trap: You’ve used the same password for a variety of different accounts. Remember: Not all websites are equally secure, or equally scrupulous. Your bank can probably be trusted with your name and password. But suppose you use the same password to sign up for a website whose programmers turn out to be inept, and who allow your name and password to be stolen. (Sound implausible? In 2011, LulzSec hacked into the database of no less than Sony, and published the passwords of thousands of Sonypictures.com users.) Hackers could then plug those same credentials into Facebook, Gmail, Twitter or, worse still, that trustworthy bank of yours. It’s hard to blame anyone for not remembering a different password for every account. But at a minimum, use different passwords for the accounts that are critical to your finances and online identity.

Q is for Quantity In 2010, consumers and enterprises stored more than 13 exabytes of data on drives, notebooks and PCs. A single exabyte is 4,000 times as much information as is stored in the Library of Congress. We now create more data than we can physically store. It’s being called the age of “Big Data”—and the new challenge in the security world isn’t just gaining access to it, but making sense of it.

R is for RSA What does it take to take down one of the top computer-security vendors? An employee opening an unsolicited Excel attachment.

RSA is the security arm of EMC Corp. Among other things, RSA sells software that helps double-authenticate logins and passwords. Reportedly, an attacker sent a phony e-mail to an employee; its attachment installed a piece of backdoor software that gave the attackers access to the keys to some of RSA’s user authentication products. Then, they turned around and used this information to infiltrate one of RSA’s clients: defence contractor Lockheed Martin. One ill-considered double-click gave away the keys to the kingdom.

Restrictions

All rights reserved. Republication or redistribution of Thomson Reuters content, including by framing or similar means, is prohibited without the prior written consent of Thomson Reuters. Thomson Reuters is not liable for any errors or delays in Thomson Reuters content, or for any actions taken in reliance on such content. ‘Thomson Reuters’ and the Thomson Reuters logo are trademarks of Thomson Reuters and its affiliated companies.